Re: cgd (encrypted disk) support in bootblocks (Was: summer of code - scrub feature)

To: tech-security%netbsd.org@localhost
Subject: Re: cgd (encrypted disk) support in bootblocks (Was: summer of code - scrub feature)
From: Jan Danielsson <jan.m.danielsson%gmail.com@localhost>
Date: Mon, 23 Mar 2009 21:10:40 +0100

David Brownlee wrote:
[---]

Collectively this sounds more like two projects to me, though the
latter could suffice for both cases, for a first stab at it.  The
latter is also less low-level code and more scripting work (and
perhaps crunchgen for space), which may make multiplatform support
less painful.  Mentors' mileage may vary.


    Could you clarify how the latter would work - is the intention
    to allow the system to boot up to a point where the administrator
    can connect in to finish cgd configuration and remount?

    I can see the utility of both, and would be very happy with
    either :)

I've previously been using the sysctl init.chroot to switch from aram image root to a cgd based root. This allows me to have the cgdparameters physically separated from the computer in question. Thissolution is not perfect, as it doesn't appear to work on NetBSD/amd64when booting from an USB memory key (see PR 36963).

In a previous discussion concerning this particular bug, ThorLancelot Simon expressed some skepticism about the way init.chroot isimplemented, so I started thinking about alternative ways to implement"root on cgd".

I've been looking into if it's possible to hard code the cgdparameters in a kernel configuration, and tell the kernel to mount rooton a cgd-device. The goal is to be able to have the cgd parametersphysically separated from the rest of the system (apart from theparameters in ram). Unfortunately, work has been keeping me too busy toput any real effort into it. I might just as well ask here; would it bepossible to boot a kernel, which is hardcoded to use cgd0 as a root, offa USB memory key? Obviously the kernel will need to configure the cgd0device prior to mounting root, which may be a source of difficulties.

If it's possible, I'd be willing to implement this myself, but itwould move along faster if someone would be willing to give me tips if Iget stuck. So, would it work? If so, are there any non-GoS mentorsavailable?

This obviously won't help first time installers, so gettingcgd-integration in the installer is a separate (and very important,imho) project.



--
Kind regards,
Jan Danielsson

Attachment: signature.asc
Description: OpenPGP digital signature

Follow-Ups:
- Re: cgd (encrypted disk) support in bootblocks (Was: summer of code - scrub feature)
  - From: Thor Lancelot Simon

References:
- summer of code - scrub feature
  - From: Stathis Kamperis
- Re: summer of code - scrub feature
  - From: Thor Lancelot Simon
- Re: summer of code - scrub feature
  - From: Alistair Crooks
- Re: summer of code - scrub feature
  - From: Thor Lancelot Simon
- Re: summer of code - scrub feature
  - From: Christos Zoulas
- Re: summer of code - scrub feature
  - From: David Brownlee
- Re: summer of code - scrub feature
  - From: Todd Vierling
- Re: cgd (encrypted disk) support in bootblocks (Was: summer of code - scrub feature)
  - From: David Brownlee
- Re: cgd (encrypted disk) support in bootblocks (Was: summer of code - scrub feature)
  - From: Todd Vierling
- Re: cgd (encrypted disk) support in bootblocks (Was: summer of code - scrub feature)
  - From: David Brownlee

Prev by Date: Re: cgd (encrypted disk) support in bootblocks (Was: summer of code - scrub feature)
Next by Date: Re: cgd (encrypted disk) support in bootblocks (Was: summer of code - scrub feature)
Previous by Thread: Re: cgd (encrypted disk) support in bootblocks (Was: summer of code - scrub feature)
Next by Thread: Re: cgd (encrypted disk) support in bootblocks (Was: summer of code - scrub feature)
Indexes:

Home | Main Index | Thread Index | Old Index